ssl - Nginx 提供另一个站点的 SSL 证书

Question

我正在使用 Nginx 为两个站点提供服务。第一个站点(比如 A)有 SSL 证书，第二个站点(比如 B)没有。在 https 和 B 在 http 上打开时，站点 A 工作正常。但是，当我通过 https 访问站点 B 时，nginx 会使用域 B 提供站点 A 的 SSL 证书和内容，这是不应该发生的。

站点A的Nginx配置如下。对于站点 B，它只是 Flask 应用程序的反向代理。

server {
        listen 80;
        server_name siteA.com;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name siteA.com;

        ssl_certificate /path/to/cert.cert
        ssl_certificate_key /path/to/cert_key.key;

        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;

        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   70;

        # and then the `location /` serving static files
}

我不知道这里出了什么问题。

Answer 1

显然我需要站点 A 的专用 IP。

引自What exactly does "every SSL certificate requires a dedicated IP" mean?

When securing some connection with TLS, you usually use the certificate to authenticate the server (and sometimes the client). There's one server per IP/Port, so usually there's no problem for the server to choose what certificate to use. HTTPS is the exception -- several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. The domain name is passed to the server in the request, which goes after TLS handshake. Here's where the problem arises - the web server doesn't know which certificate to present. To address this a new extension has been added to TLS, named SNI (Server Name Indication). However, not all clients support it. So in general it's a good idea to have a dedicated server per IP/Port per domain. In other words, each domain, to which the client can connect using HTTPS, should have its own IP address (or different port, but that's not usual).

Nginx 正在监听端口 443，当对站点 B 的请求通过 https 进行时，会发生 TLS 握手，并在提供内容之前出示站点 A 的证书。